blackmoon | 7b122e6ade0e52deedcfaa9d367c9665269afee69d2e3262f0d3a0d757b1e40d

General

Target

7b122e6ade0e52deedcfaa9d367c9665269afee69d2e3262f0d3a0d757b1e40d
Size

32KB
Sample

221002-zwz59scahl
MD5

ea4419c9dbf9a75448ecf8ed163834f0
SHA1

b849767e86bcf59e9290214f30b62a76affaa0ea
SHA256

7b122e6ade0e52deedcfaa9d367c9665269afee69d2e3262f0d3a0d757b1e40d
SHA512

78d97f184e74fc3c17d9f753f7ebcdfabc46850996b40a9ecebb8b5db55e3e10f3c2ea3dbe365ed098617d0ff04ac5737cfd718d7fc8b1f0886d6d35a0fb0521
SSDEEP

768:FAKmtpcn1vJZBeyTMxi5Wxq6V/o4RAozcwiN:yKmtpcnRJ2yTMxi5WxHV/o4RAozcT

Score

10^/10

Malware Config

Targets

- Target
  
  7b122e6ade0e52deedcfaa9d367c9665269afee69d2e3262f0d3a0d757b1e40d
- Size
  
  32KB
- MD5
  
  ea4419c9dbf9a75448ecf8ed163834f0
- SHA1
  
  b849767e86bcf59e9290214f30b62a76affaa0ea
- SHA256
  
  7b122e6ade0e52deedcfaa9d367c9665269afee69d2e3262f0d3a0d757b1e40d
- SHA512
  
  78d97f184e74fc3c17d9f753f7ebcdfabc46850996b40a9ecebb8b5db55e3e10f3c2ea3dbe365ed098617d0ff04ac5737cfd718d7fc8b1f0886d6d35a0fb0521
- SSDEEP
  
  768:FAKmtpcn1vJZBeyTMxi5Wxq6V/o4RAozcwiN:yKmtpcnRJ2yTMxi5WxHV/o4RAozcT
Score

10^/10

blackmoon gh0strat joker banker bootkit discovery infostealer persistence rat trojan
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Gh0st RAT payload
- Gh0strat
  Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
  rat gh0strat
- joker
  Joker is an Android malware that targets billing and SMS fraud.
  infostealer trojan joker
- ACProtect 1.3x - 1.4x DLL software
  Detects file using ACProtect software.
- Downloads MZ/PE file
- Executes dropped EXE
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Writes to the Master Boot Record (MBR)
  Bootkits write to the MBR to gain persistence at a level below the operating system.
  bootkit persistence
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

Remote System Discovery

1

T1018

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Targets

Blackmoon, KrBanker

Detect Blackmoon payload

Gh0st RAT payload

Gh0strat

joker

ACProtect 1.3x - 1.4x DLL software

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops file in System32 directory

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks

static1

behavioral1

behavioral2